Limited Time!
Totally FREE Web Design!
Click here!

Parasite: SaveNow

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

A single process run at startup which monitors open IE windows and opens adverts when it sees targeted URLs and terms entered into forms.

Variants

SaveNow/Download comes bundled with a "WhenUDownload" ActiveX control.

SaveNow/B comes without the WhenUDownload component.

SaveNow/Save is a new version, rebranded as ‘Save!’, which works in the same manner.

SaveNow/Db is the same as the Save variant, but includes an ActiveX ‘marker’ control to prevent it being installed twice.

SaveNow/WUInst is an installer for the Save variant.

SaveNow/Search ("WhenU Search") also includes a Search.exe process that monitors web usage to provide targeted messages in a ‘toolbar’ just above the Windows task bar.

SaveNow/VVSN: a downloader process run at Windows startup that either loads a queued download of another WhenU product, or periodically opens a solitary advert for WhenU’s own application ClockSync (which itself bundles SaveNow/Save and /Search).

This is the same (misleading) advert usually used to promote ClockSync (yes, the clock might be wrong. But it probably isn’t. Definitely isn’t on Windows XP) except that a clickthrough leads to the software being queued for download and installation, rather than going through a further ActiveX download process. Its downloading job copmpleted, VVSN removes itself.

Only the Download, Db, WUInst and Search variants of SaveNow can be detected by the script at this site.

Also known as

WhenU, the name of the company supplying the software.

Distribution

Bundled with BearShare and other P2P applications, the RadLight video player, and all software distributed by Galt Technologies.

The Db and WUInst variants are also installed by drive-by-download in pop-ups, often coupled with ‘ClockSync’ or ‘WeatherCast’.

Also installed by the WildMedia/WinFetcher, Roimoi and ISTbar parasites.

What it does

Advertising

Yes. SaveNow keeps a list of URLs and terms it is interested in on disk, in the obfuscated file ‘SaveNow\savenow.db’ or ‘Save\save.db’ in Program Files. The (often large) file maps from these targets to adverts to serve.

Privacy violation

SaveNow connects to WhenU’s servers to log the advert; the Search variant also logs targeted terms triggering toolbar messages. It passes the name of the affiliate software which installed the software, the ID of the advert being shown, and the site URL or term that caused the pop-up to be triggered.

However no cookie is set on these accesses, and no unique ID is passed, so these are not directly trackable.

Security issues

The WUInst variant can be used by any web site to download and install SaveNow or other code from WhenU.

Stability problems

Yes. Early variants can cause frequent crashes.

Removal

SaveNow/B can be removed from the ‘SaveNow’ entry in the Control Panel’s ‘Add/Remove Programs’ option. SaveNow/Save can sometimes be removed from a ‘Save’ entry in Add/Remove Programs. SaveNow/Search can be removed from the ‘WhenU Search’ entry.

SaveNow/Db does not provide an Add/Remove Programs entry and must be removed manually. SaveNow/Download may be removed through the Control Panel, but leaves an ActiveX control behind, see below for removal.

SaveNow often also installs ‘WeatherCast’, a system tray icon that displays the current weather conditions, and/or ‘ClockSync’, a trivial NTP client. Unless you find these useful for some reason, you should probably also remove them from Add/Remove Programs.

Manual removal

For the Search variant, open a Command Prompt window (from the Accessories submenu in the [All] Programs menu on the Start button; called ‘DOS Prompt’ under Windows 95/98/Me) and enter the commands:

cd %WinDir%\System
regsvr32 /u "\Program Files\WhenUSearch\search.dll"

For all variants, open the registry (Start->Run->regedit) and find the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Delete the ‘SaveNow’, ‘WhenUSave’, ‘WhenUSearch’ or ‘VVSN’ values. Reboot and you should be able to delete the ‘SaveNow’, ‘Save’, ‘WhenUSearch’, ‘WhenUSearchWHSE’ or ‘VVSN’ folder inside ‘Program Files’.

To remove the ActiveX objects installed by the Download and Db variants, open the ‘Downloaded Program Files’ folder inside the Windows folder, and delete the SaveNow object. The name of this is ‘WhenUDownload’ in the Download variant, ‘FC327B3F-377B-4CB7-8B61-27CD69816BC3’ in the Db variant, and ‘E2F2B9D0-96B9-4B25-B90C-636ECB207D18’ in the WUInst variant.